[bionic:linux 1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y

Andy Whitcroft apw at canonical.com
Thu Feb 18 16:17:47 UTC 2021 

In order to support the livepatch key we need to ensure we do not allow
that key to load modules which are not for the specific kernel.  From
the documentation on kernel module signing:

  If you use the same private key to sign modules for multiple kernel
  configurations, you must ensure that the module version information is
  sufficient to prevent loading a module into a different kernel.  Either
  set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a
  different kernel release string by changing ``EXTRAVERSION`` or
  ``CONFIG_LOCALVERSION``.

BugLink: https://bugs.launchpad.net/bugs/1898716
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
 debian.master/config/annotations          | 4 +++-
 debian.master/config/config.common.ubuntu | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 52fa132d2063..4f2972daee7e 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -8612,9 +8612,11 @@ CONFIG_MODULES                                  policy<{'amd64': 'y', 'arm64': '
 CONFIG_MODULE_FORCE_LOAD                        policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_MODULE_UNLOAD                            policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_MODULE_FORCE_UNLOAD                      policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
-CONFIG_MODVERSIONS                              policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_MODVERSIONS                              policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_MODULE_SRCVERSION_ALL                    policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_MODULE_COMPRESS                          policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+#
+CONFIG_MODVERSIONS                              mark<ENFORCED> note<LP:1898716 -- required as we have a livepatch/drivers modules signing key>
 
 # Menu: Enable loadable module support >> Compression algorithm
 
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 3ef3d8d6a2d8..f2a8b2e49b53 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -5444,7 +5444,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_MODULE_SIG_SHA512=y
 CONFIG_MODULE_SRCVERSION_ALL=y
 CONFIG_MODULE_UNLOAD=y
-# CONFIG_MODVERSIONS is not set
+CONFIG_MODVERSIONS=y
 CONFIG_MONREADER=m
 CONFIG_MONWRITER=m
 CONFIG_MOST=m
-- 
2.29.2

More information about the kernel-team mailing list